VYPR
Get started
← All advisories
Unrated severityNVD Advisory· Published Jul 6, 2015· Updated May 6, 2026

CVE-2015-2741

CVE-2015-2741

Description

Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 do not enforce key pinning upon encountering an X.509 certificate problem that generates a user dialog, which allows user-assisted man-in-the-middle attackers to bypass intended access restrictions by triggering a (1) expired certificate or (2) mismatched hostname for a domain with pinning enabled.

Affected products

17
  • Mozilla Corporation/Firefox9 versions
    cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=38.1.0
    • cpe:2.3:a:mozilla:firefox:31.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:38.0:*:*:*:*:*:*:*
  • Mozilla Corporation/Firefox Esr7 versions
    cpe:2.3:a:mozilla:firefox_esr:31.1:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:a:mozilla:firefox_esr:31.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.7.0:*:*:*:*:*:*:*
  • Oracle Corporation/Solaris
    cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

13

News mentions

0

No linked articles in our index yet.